After spending huge effort to understand the exact requirements to
enforce SRBAC, we learned it's very difficult to find the required
scope in each credential. This requires understanding implementation of
client-side as well as server-side, and requirement might be different
according to the deployment architecture or features used.
Instead of implementing support based on the actual implementation,
this introduces support for system scope credentials to all places
where keystone user credential is defined, and make all credential
Support fo additional ip address allocations when using
dhcpv6 stateful was added in https://review.opendev.org/700002
and backported to stein in https://review.opendev.org/717205.
This change adds support in the puppet module to configuring
the amount of addresses to allocate.
After merging https://review.openstack.org/#/c/602070/
the endpoint_override param was missing in cinder, glance,
neutron and swift config sections.
Keystone v2.0 API was removed so we have no choice but configuring
user_domain_name and project_domain_name otherwise it fallbacks to
Keystone v2.0 and it fails. This patch sets the default value so we make
sure Keystone v3 will be used out of the box for our users.
Without these parameters ironic uses keystone_authtoken credentials.
This is deprecated since Newton and can be removed at any moment.
This patch provides a manifest to configure separate credentials
and moves other related parameters to it.
Reset [neutron]url to os_service_default to allow ironic to guess it,
rather then using a value that it probably wrong.